That Shopping App You Downloaded Might Be Fake

Fake news isn’t the only thing that smartphone users should be cautious about these days.

As the holiday shopping season is in full swing, a slew of fake retail apps are appearing in smartphone app stores. These apps, which usually look like official shopping apps from retail brands, install malware on the phones of unsuspecting customers once downloaded. From there, identity and credit card information can be stolen, or downloaded ransomware can remotely lock a user’s phone until they pay up.

Last week, researchers at cybersecurity company RiskIQ released a report estimating that one in 10 apps advertising Black Friday deals was fraudulent.

“This problem has been worse this year than any of the previous years,” said Ian Cowger, security researcher at RiskIQ. “Malicious authors targeting app stores have become much more adept at targeting holidays and other events that can net them users.”

As shopping increasingly moves online, the holiday season has become a traffic boon to shopping apps and websites. This past Black Friday, phone and tablet app shopping hit a record $3.34 billion revenue, an increase of 33 percent from last year, according to an estimate by software and analytics company Adobe. Meanwhile, the number of brick-and-mortar Black Friday shoppers has dropped.

In an interview with CBS News, fashion blogger Michelle Madhok cited the ease of price shopping on mobile platforms. “It’s a click to see what the other prices are,” she said. “Before, you had to drive from store to store to compare prices or go through tons of inserts in your newspaper.”

The RiskIQ report said that five popular shopping brands were the biggest targets for counterfeit apps. The report did not detail which brands were most affected for fear of causing customer confusion or panic, but the Better Business Bureau of Mississippi, which issued a similar warning last week, cited stores such as FootLocker, Nordstrom, Zappos.com and Christian Dior as common targets.

The report, compiled by monitoring about 180 app stores worldwide, pointed to Google Play, AppChina and Baidu as the app stores with the highest number of counterfeit apps.

When asked for comment, Google supplied information on their prevention process for fraudulent apps, which includes automated scanning for spam-like code and the presence of malware, a team of experts who review apps for potential violations, and a user/developer community flagging function. “We take security seriously,” a Google spokesperson said in a statement.

But smartphone users need to stay vigilant. Jocelyn Baird, an editor at consumer safety website NextAdvisor.com, recommends downloading apps from official store websites whenever possible to avoid counterfeits. She said that an app purchase that shows up under an unrelated company name on a credit card statement is another typical warning sign. Baird also suggested reading the app name and description carefully for subtle distinctions from an official brand.

“When in doubt, you can do some Web searching to verify the full name a company uses,” she said. “Be on the lookout for misspellings or poor grammar, which you’re unlikely to see in the description for a real app.”

Cowger also recommended ignoring app reviews as an indicator since these can be forged. He noted that apps that ask for strange permissions, such as access to text messages, credit card information or passwords, should be approached with caution.

And last but not least: “If it seems too good to be true,” he said, “it oftentimes isn’t true.”